Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SVCHOST.EXE-2D5FBD18.pf Trojan


  • This topic is locked This topic is locked

#1
Ken of Texas

Ken of Texas

    Member

  • Member
  • PipPip
  • 12 posts
I encountered a significant decrease in performance on my laptop including freezing up when I opened Outlook. I opened task manager and noticed that one particular svchost.exe was quite large and consuming memory. I disabled it and did a search for svchost* and located “SVCHOST.EXE-2D5FBD18.pf” at WINDOWS/Prefetch. I assume this is a Trojan virus. I renamed the file to “.old” and tried rebooting to see if that fixed the problem. Every time I reboot, the file is renewed. So now, when I reboot, I have been opening task manager and review it for the Trojan effect, and then go through the same process again to disable it. I have also experienced loss of audio and a change in language on occasion. After rebooting and disabling the hijacked svchost.exe, these functions seem to return to normal.

I have completed all of the steps suggested on the website. The AVG Anti-Spyware found a couple of mild-risk generic adware items and did not provide a report. The SuperAntiSpyware found nothing. The Panda scan, HijackThis and Uninstall reports are below.

Thanks in advance for your help. This has already cost me lots of hours of downtime and frustration.

Ken


Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\kfleming\Favorites\Insurance
Virus:W32/Nuwar.D.worm Disinfected Personal Folders\Deleted Items\Chinese missile shot down USA aircraft\Full Clip.exe
Virus:W32/Nuwar.D.worm Disinfected Personal Folders\Deleted Items\Chinese missile shot down USA aircraft\Read More.exe
Virus:W32/Nuwar.D.worm Disinfected Personal Folders\Deleted Items\Russian missle shot down USA satellite\Read More.exe
Virus:W32/Nuwar.D.worm Disinfected Personal Folders\Deleted Items\Chinese missile shot down Russian satellite\Full Video.exe
Virus:Trj/Alanchum.OD Disinfected Personal Folders\Deleted Items\Russian missle shot down USA satellite\Click Here.exe
Virus:Trj/Alanchum.OD Disinfected Personal Folders\Deleted Items\First Nuclear Act of Terrorism!\Full Text.exe
Virus:Trj/Alanchum.OD Disinfected Personal Folders\Deleted Items\I Love You Mower\Flash Postcard.exe
Virus:Trj/Alanchum.OL Disinfected Personal Folders\Deleted Items\Wrapped Up\Greeting Card.exe
Virus:Trj/Alanchum.OJ Disinfected Personal Folders\Deleted Items\From this day forward\Greeting Postcard.exe
Virus:Trj/Alanchum.OD Disinfected Personal Folders\Deleted Items\Our Two Hearts\Greeting Card.exe
Virus:Trj/Alanchum.ON Disinfected Personal Folders\Deleted Items\A Bouquet of Love\Postcard.exe
Virus:Trj/Alanchum.OL Disinfected Personal Folders\Deleted Items\Your Love Has Opened\flash postcard.exe
Virus:W32/Nurech.A.worm Disinfected Personal Folders\Deleted Items\Romantic Picnic Coupon\Flash Postcard.exe
Virus:W32/Nurech.A.worm Disinfected Personal Folders\Deleted Items\Our Love is Free\Flash Postcard.exe
Virus:W32/Nurech.A.worm Disinfected Personal Folders\Deleted Items\Baby, I'll Be There\Flash Postcard.exe
Virus:W32/Nurech.A.worm Disinfected Personal Folders\Deleted Items\Our Love is Free\Greeting Postcard.exe
Virus:Trj/Alanchum.PK Disinfected Personal Folders\Deleted Items\A Special Kiss\Greeting Postcard.exe
Virus:Trj/Alanchum.PJ Disinfected Personal Folders\Deleted Items\Take My Hand\Greeting Card.exe
Virus:Trj/Alanchum.PK Disinfected Personal Folders\Deleted Items\Falling In Love with You\Postcard.exe
Virus:W32/Nurech.A.worm Disinfected Personal Folders\Deleted Items\True Love\Postcard.exe
Virus:Trj/Alanchum.PV Disinfected Personal Folders\Deleted Items\The Sweet Taste of Love\greeting postcard.exe
Virus:Trj/Alanchum.PV Disinfected Personal Folders\Deleted Items\Everyone Needs Someone\Greeting Postcard.exe
Virus:W32/Nurech.A.worm Disinfected Personal Folders\Deleted Items\Bewitching Moonlight\Postcard.exe
Virus:W32/Nurech.A.worm Disinfected Personal Folders\Deleted Items\Touched by Love\greeting card.exe
Virus:W32/Nurech.A.worm Disinfected Personal Folders\Deleted Items\Words I Write\postcard.exe
Virus:Backdoor Program Disinfected C:\GDX\autorun.inf
Virus:Backdoor Program Disinfected


Logfile of HijackThis v1.99.1
Scan saved at 9:06:22 AM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.flemingbros.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.micr...pdate?clid=1033
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\PROGRAM FILES\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...ads/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174072275995
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://demo.eventsoft.com/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = groupdynamix.com
O17 - HKLM\Software\..\Telephony: DomainName = groupdynamix.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = groupdynamix.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Unknown owner - C:\WINDOWS\system32\basfipm.exe (file missing)
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

1-2-3 PayPal Website Payments
ABBYY FineReader OCR Engine for Microtek
ABC2Win Beta
AbcMus 2.0
Adobe Acrobat 7.0.8 Standard
Adobe Flash Player 9 ActiveX
Adobe PageMaker 7.0
Adobe Photoshop 7.0
Adobe Photoshop Elements 2.0
Adobe Reader 8
AnyTime Organizer
Apple Software Update
ATI Control Panel
ATI Display Driver
AVG 7.5
AVG Anti-Spyware 7.5
Beyond Contacts
Bluetooth Stack for Windows by Toshiba
Broadcom Advanced Control Suite 2
Broadcom ASF Management Applications
Conexant D110 MDC V.9x Modem
Dell Printer Software
DesignPro 5.0 Sign Edition
Digidesign Pro Tools M-Powered 7.0
Digidesign Shared Plug-Ins 7.0
Digital Line Detect
EPSON Printer Software
eTrust EZ Armor
Free Bomb Factory Plug-Ins 7.0
Google Toolbar for Internet Explorer
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Deskjet 6500
HP Deskjet 6500 Series
HP Software Update
InterLok Driver Kit
Internal Network Card Power Management
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Macromedia Flash Player
Maxtor OneTouch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Professional Edition 2003
Microsoft Office XP Media Content
Microsoft User-Mode Driver Framework Feature Pack 1.0
MobilePre
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
NetWaiting
PACE System Files
Palm Desktop
Panda ActiveScan
PowerDVD 5.1
ProSchool v3.0
QBFC 2.1
QuickBooks Pro 2007
QuickBooks Product Listing Service
Quicken 2007
QuickSet
QuickTime
RealPlayer
Retrospect Express HD 1.0
RoadRunner
ScanWizard 5
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Sonic DLA
Sonic RecordNow! Plus
Sonic Update Manager
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
SupportSoft Assisted Service
TimeClock Plus 4
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
USB Storage Adapter FX (MXO)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB893086
WinZip
Yahoo! Install Manager
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Ken and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

ALL staff here at Geeks To Go are volunteers, please bear that in mind if I don’t answer your post as quickly as you’d like; I give what time I can.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

I don’t see anything untoward in your HJT log or your uninstall list. The file you referred to is quite legitimate and will rebuild itself on rebooting. Let’s see what we can do with a scan and a clean up.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
combofix.exe

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, and under the heading of Applications, Utilities uncheck AVGas Anti-Spyware then click Analyze > Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look.
  • 0

#3
Ken of Texas

Ken of Texas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Crustyoldbloke,
There is only one user on my computer. I do have it networked to my family at home and to my office network when at work, but I am the only user on this computer. By the way, I was never asked to reboot into Safe Mode, so I assume your reference to that has to do with some future instructions. Anyway, here are the reports you asked for:

"KFleming" - 07-03-21 16:43:25 Service Pack 2
ComboFix 07-03-22 - Running from: "C:\Downloads"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\install.log


((((((((((((((((((((((((((((((( Files Created from 2007-02-21 to 2007-03-21 ))))))))))))))))))))))))))))))))))


2007-03-21 16:32 <DIR> d-------- C:\Program Files\CCleaner
2007-03-21 00:06 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-20 21:02 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-03-20 21:02 <DIR> d-------- C:\DOCUME~1\kfleming\APPLIC~1\SUPERAntiSpyware.com
2007-03-20 21:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-20 21:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-20 18:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-17 06:59 <DIR> d-------- C:\DOCUME~1\kfleming\APPLIC~1\Media Player Classic
2007-03-17 00:49 <DIR> d-------- C:\DOCUME~1\kfleming\APPLIC~1\AdobeUM
2007-03-16 16:57 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-03-16 14:26 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-03-16 14:05 <DIR> d-------- C:\DOCUME~1\kfleming\APPLIC~1\Google
2007-03-16 13:25 499,712 --a------ C:\DOCUME~1\jmark\NTUSER.DAT
2007-03-16 13:25 <DIR> d-------- C:\DOCUME~1\jmark\APPLIC~1\Sun
2007-03-16 13:25 <DIR> d-------- C:\DOCUME~1\jmark\APPLIC~1\Sonic
2007-03-16 13:25 <DIR> d-------- C:\DOCUME~1\jmark\APPLIC~1\Intel
2007-03-16 13:22 <DIR> d-------- C:\DOCUME~1\kfleming\APPLIC~1\Adobe
2007-03-16 13:21 2,359,296 --ah----- C:\DOCUME~1\kfleming\NTUSER.DAT
2007-03-16 13:21 <DIR> d-------- C:\DOCUME~1\kfleming\APPLIC~1\Sun
2007-03-16 13:21 <DIR> d-------- C:\DOCUME~1\kfleming\APPLIC~1\Sonic
2007-03-16 13:21 <DIR> d-------- C:\DOCUME~1\kfleming\APPLIC~1\Real
2007-03-16 13:21 <DIR> d-------- C:\DOCUME~1\kfleming\APPLIC~1\Intel
2007-03-16 13:15 <DIR> d--hs---- C:\WINDOWS\CSC
2007-03-14 23:33 57,344 --a------ C:\WINDOWS\unezfw.exe
2007-03-14 23:33 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-14 23:33 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-03-14 23:32 243,824 --a------ C:\WINDOWS\unicows.dll
2007-03-14 23:31 <DIR> d-------- C:\Program Files\CA
2007-03-14 23:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-03-12 10:54 557,056 --a------ C:\DOCUME~1\Ken\GoToAssist_phone__317_en.exe
2007-03-06 15:29 <DIR> d-------- C:\Program Files\DESI
2007-02-26 19:32 <DIR> d-------- C:\Quickbooks Files
2007-02-26 19:30 1,933,312 --a------ C:\WINDOWS\system32\cdintf251.dll
2007-02-26 19:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\COMMON FILES
2007-02-25 21:07 1,933,312 --a------ C:\WINDOWS\system32\cdintf250.dll
2007-02-25 21:07 <DIR> d-------- C:\DOCUME~1\Ken\APPLIC~1\Intuit
2007-02-25 21:06 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-21 01:19 -------- d-------- C:\Program Files\quicktime
2007-03-21 01:13 -------- d-------- C:\Program Files\itunes
2007-03-21 01:09 -------- d-------- C:\Program Files\google
2007-03-21 01:09 -------- d-------- C:\Program Files\digital line detect
2007-03-21 01:07 -------- d-------- C:\Program Files\Common Files\dataviz
2007-03-17 07:02 -------- d-------- C:\Program Files\palm
2007-03-17 07:02 -------- d-------- C:\Program Files\divx
2007-03-17 06:59 -------- d-------- C:\Program Files\k-lite codec pack
2007-03-08 18:02 -------- d-------- C:\Program Files\proschol
2007-03-02 09:00 2241 --a------ C:\WINDOWS\panose.bin
2007-02-26 19:31 -------- d-------- C:\Program Files\intuit
2007-02-26 19:27 -------- d-------- C:\Program Files\Common Files\intuit
2007-02-25 21:38 -------- d-------- C:\Program Files\quicken
2007-01-27 12:19 73216 --a------ C:\WINDOWS\st6unst.exe
2007-01-27 12:19 249856 --------- C:\WINDOWS\setup1.exe
2007-01-27 12:08 -------- d-------- C:\Program Files\punchclock2
2007-01-27 11:32 -------- d-------- C:\Program Files\timeclock plus
2007-01-23 17:17 -------- d-------- C:\Program Files\apple software update
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-12-29 12:49 335 --a------ C:\WINDOWS\nsreg.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"RetroExpress"="C:\\PROGRA~1\\Dantz\\RETROS~1\\RetroExpress.exe /h"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"MXOBG"="C:\\WINDOWS\\MXOALDR.EXE"
"MaxtorOneTouch"="C:\\Program Files\\Maxtor\\OneTouch\\utils\\Onetouch.exe"
"M-Audio Taskbar Icon"="C:\\WINDOWS\\System32\\M-AudioTaskBarIcon.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"EPSON Stylus C84 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2D1.EXE /P23 \"EPSON Stylus C84 Series\" /O6 \"USB002\" /M \"Stylus C84\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"DLPSP"="\"C:\\Program Files\\Dell Printers\\Additional Color Laser Software\\Status Monitor\\DLPSP.EXE\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"DigidesignMMERefresh"="C:\\Program Files\\Digidesign\\Drivers\\MMERefresh.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
00
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
WudfServiceGroup REG_MULTI_SZ WUDFSvc\



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-21 16:46:32

Logfile of HijackThis v1.99.1
Scan saved at 16:54, on 07-03-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.flemingbros.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.micr...pdate?clid=1033
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...ads/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174072275995
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://demo.eventsoft.com/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = groupdynamix.com
O17 - HKLM\Software\..\Telephony: DomainName = groupdynamix.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = groupdynamix.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Unknown owner - C:\WINDOWS\system32\basfipm.exe (file missing)
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

Thanks!
Ken
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Ken

Is your CPU still spiking at 100% most of the time?

There's nothing really obvious showing up in the logs so far. Your Java is a little old and could be an exploit, perhaps an update and a Tune-up will help.

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm

Click start then all programmes, accessories, system tools to run disc clean up

Reboot

Click start then all programmes, accessories, system tools to run defragmenter

Download, install and run Tune Up 2007 Trial It is a 30-day free trial.

Run Tune Up disc clean up

Run Tune Up registry clean up

Disable your anti virus programme then click Optimize and Improve to run Reg Defrag, the screen will lose colour during the process which can take a few minutes and then needs a reboot

Check the anti virus programme is running after the reboot.

Those will have cleared the drive of obsolete software errors

These are suggestions for making the most of the free trial

Click optimize and improve then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot

After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.

After the reboot, click optimize then system optimizer to run system advisor

Please let me know what is happening at your end now?
  • 0

#5
Ken of Texas

Ken of Texas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Every time I reboot, the svchost file increases to 100%. I have not let it get that far as I have disabled it in Task Manager. I then do a search on the C drive and locate the newly created SVCHOST.EXE-....... in the WINDOWS/Prefetch folder that I assume is the cause of the problem. I just noticed in my Outlook that the dates are all wrong. I just checked my time/date and it has been changed. I wonder what other issues this virus has caused.

I will do as you have asked in your post, but several questions please. Most of what you have suggested seems to relate to improving performance or cleaning up. Are these steps going to result in the removal of the trojan? Everything that I have done, downloading and running all of the applications, has resulted in no change. I beginning to worry that I may have to wipe the drive clean and start over, a costly step. Does this trojan have a name and can it be removed?

Thanks for your help.
Ken
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Ken

SVCHOST is quite legitimate and I have 8 running right now, You should have one instance of the file in the prefetch folder, quite legitimately. I cannot see anything bad in the logs so far, to cause a 100% spike in the CPU usage.

I am sorry that you are disappointed in my help; I am trying to understand the problem as best I can.

Can I suggest that you let me see everything by not disabling anything in MSCONFIG. I believe that your problem is possibly originating in Outlook based upon the infected files found by Panda.

You mention a Trojan in your last post. Please tell me the name and path of the Trojan and I will give you a fix to cure it.

My experience tells me that very often this 100% CPU usage is due to a corrupt index.dat file, which is not easy to delete manually. The easiest way is to let an auto cleaning programme do it for you.

Open Ccleaner.

Ensure there is a check mark or tick in the box marked index.dat under Internet Explorer and the same for temporary files under system. All other boxes should be clear for this fix.

Now click Run Cleaner

Reboot normally.

Did that fix the problem?
  • 0

#7
Ken of Texas

Ken of Texas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I'm not disapppointed in your help, just the outcome. I'm wearing myself out on this as I have tried everything and so far I still have the problem. Let me attempt to make it more clear, as I am not someone who can converse well regarding computers. Four days ago I noticed a decline in the speed of opening Outlook. In fact, it froze up. A brother of mine suggested I look into the Task Manager and find out what was using the memory. We discovered that there was an svchost.exe process that was hovering around 100%. My brother did some research and advised me to do a search on the C drive for all of the svchost* files. We found one in the C:\i386 folder and one in the C:\WINDOWS\system32 folder. Of particluar interest, we found one in the C:\WINDOWS\prefetch folder but it was in all caps -- SVCHOST.EXE-2D5FBD18.pf. My brother suggested I disable the svchost.exe that was spiking and then rename the file in C:\WINDOWS\prefetch. That seemed to stop the spiking and I cpould resume normal computing. The problem is that other effects started happening: example-- my files in Outlook have dates that are in this order - 07 03 21 (03/21/07). Furthermore, every time I reboot, the same problem of spiking and the creation of the SVCHOST in the prefetch folder occurs. I have done everything that has been asked, but sadly, the problem still exists. I have read in my researching of this that there shouldn't be an svchost file in caps and they should reside in the system32 folder only. If true, then something is creating it and putting it there. I don't have a path to the Trojan. Maybe it's not a trojan but a corrupt file somewhere. I just know that it is causing a great deal of difficulty for me to operate the computer normally. Any ideas what may be causing it? Should I re-install Office or Outlook? Thanks!
Ken
  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Ken

I can only advise you, but it is up to you if you follow my advice or that of your brother.

Please allow me to allay your fears somewhat. As you know svchost (service host) is legitimate. It should be present in a number of places on your PC. The fact that the one in the prefetch folder is in upper-case makes no difference, that is normal. For it to be a Trojan it would have to be in the wrong folder or spelt slightly differently, for example scvhost.

The file that runs is C:\Windows\System32\svchost.exe, all the others are back ups and do not run, so deleting the prefetch will make no difference.

The CPU spike is normally a sign of an attack which should be blocked by your firewall. You can test your firewall here: http://www.grc.com/default.htm follow the link for SHIELDS UP and when asked, request an ALL SERVICE PORTS SCAN.

In Control Panel, select Network Connections, select the connection that corresponds to your internet connection, right click on that and select Properties, select the Advanced tab, and make sure that Protect my computer and network by limiting or preventing access to this computer from the Internet is checked. You can also adjust the settings there.

If the attack is not external, then it will be internal, therefore we must look for a virus. Let's use the best scanner in the world.

Please visit Kaspersky using Microsoft Internet Explorer, for an on-line scan. Please select extended in the scan settings option; you will find it to be the second option from the top. Please post the Kaspersky log in your reply

As previously stated, sometimes a corrupted index.dat file can be to blame and I have already shown you how to deal with that.

The reason I am intent on cleaning your PC is that you complain of its slowness and that is often the cure.

As previously stated, my guess is that your Outlook programme is corrupted and certainly a place that has been compromised by virii activity. I would be inclined to uninstall it, reboot normally so as to refresh your registry, and then re-install Outlook afresh.
  • 0

#9
Ken of Texas

Ken of Texas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I followed my brother's advice in the beginning, but have not since first logging on to this website. All he did was point out several things -- a svchost.exe process in the Task Manager spiked to near 100% and something then freezes up my computer regardless of what application I may be in. In fact, Outlook was not open during several of the tests I made in which this spiking occured. He also pointed out that an SVCHOST.EXE file is created in the prefetch folder each time. By disabling the svchost.exe process in Task Manager, I am able to run most programs normally which leads me to believe that there is some trojan virus masquerading as an svchost.exe.

Here is the report from ShieldsUp:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2007-03-22 at 13:41:31

Results from scan of ports: 0-1055

0 Ports Open
0 Ports Closed
1056 Ports Stealth
---------------------
1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

----------------------------------------------------------------------

I was unable to open the link to the Kaspersky scan. I tried several times but keep getting the message: "Internet Explorer cannot display the webpage." I will keep trying and send you the report when it is done. Thanks for working with me on this.
Ken
  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Ken

This is just a thought since I am not experiencing any problems with the Kaspersky website. I wonder if you have a stealth virus that is blocking AV sites. With that in mind, it will probably attack your HOSTS file, so let's change it for one which I normally recommend at the end of a fix anyway.

Download and Install MVPS hosts file.

This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

Please go to: MVPS Hosts file

If you scroll down the MVPS page, you will see an animated folder next to hosts.zip Download that file to your desktop and right click on it, choose EXTRACT ALL and a window will open containing the files, double click mvps.bat and a DOS screen will open inviting you to press any key to continue. That's all there is to it.

Please bookmark/add to favourite this site as the file is updated every 14 days, so you need to do this once a month.

From now on, whilst surfing, you will notice some sites not loading and you may see the word “advertisement” on some pages, this is because the IP address of either the site or advertiser is known as bad and it is being blocked.
  • 0

Advertisements


#11
Ken of Texas

Ken of Texas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I am at my office now and I've just observed something that may be key to uncovering what is going wrong. I am connected to our server and there are currently no problems, other than the dates are still messed up in Outlook, but there isn't any spiking occuring at present. Also, the SVCHOST file that usually is created in the prefetch folder was not created. It makes me wonder that it might have something to do with the computer trying to connect with the server when my computer is at home and develops some sort of major conflict when it doesn't find the server. By the way, we just installed the client/server system this past weekend at my office and that is when I began experiencing the problems I'm having. Still, would that explain the corruption of the time/dates in Outlook? This is all so confusing.
Ken
  • 0

#12
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Ken

How can I persuade you that the SVCHOST in prefetch is a red herring? I will state again that it is legitimate. It will be rebuilt when the programme is called upon. So, if it has not been rebuilt, then logic tells me that it hasn't been called upon to do so and we can now eliminate all of your start-up programmes as being the source. This still leaves Outlook as a suspect since it is not in start-up.

The spike you see is because something is using the service host, that can be either external or internal. Outlook is a programme that contacts external agents in its function, so I stand by what I have already stated.

The 017 entries point at groupdynamix.com, which I assume is from the network at your place of work. Correct me if I am wrong in my assumption.
  • 0

#13
Ken of Texas

Ken of Texas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
You have already persuaded me that svchost.exe is not the issue. All I was doing was reporting to you that it did not spike and the file was not created in prefetch thus confirming what you have been saying. Yes, that is my company network. Should I go ahead and re-install Outlook or Office to see if that is the source of the problem?
Ken
  • 0

#14
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Please try Outlook as a separate entity at this stage. Uninstall, reboot, then re-install.

Install the MVPS HOSTS too.

Any luck with Kaspersky?
  • 0

#15
Ken of Texas

Ken of Texas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I finally was able to do the Kaspersky scan. I'll wait your review and comment before I uninstall Outlook in case the results of the scan chanh=ges anything. Here is the report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
07-03-23 00:45
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/03/2007
Kaspersky Anti-Virus database records: 268091
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
P:\

Scan Statistics:
Total number of scanned objects: 98504
Number of viruses found: 2
Number of infected objects: 6 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:31:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\RetroExp\config10.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\RetroExp\operations_log.utx Object is locked skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\alt.binaries.multimedia.binaries.erotica.broadband.dbx/[From [email protected]][Date 11 Jun 2006 21:47:53 GMT]/Eliza Infected: Trojan-Downloader.WMA.Wimad.h skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\alt.binaries.multimedia.binaries.erotica.broadband.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\alt.binaries.multimedia.nospam.erotica.dbx/[From [email protected]][Date Mon, 31 Jul 2006 17:29:19 GMT]/Brittany Infected: Trojan-Downloader.WMA.Wimad.h skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\Microsoft\Outlook Express\alt.binaries.multimedia.nospam.erotica.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Deleted Items/01 Oct 2005 21:38 from eBay Inc:eBay Inc: Please Validate Your A.rtf Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Ken\Local Settings\Application Data\Microsoft\Outlook\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\kfleming\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\kfleming\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\kfleming\Local Settings\Application Data\ApplicationHistory\RetroExpress.exe.ef08464a.ini.inuse Object is locked skipped
C:\Documents and Settings\kfleming\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\kfleming\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\kfleming\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\kfleming\Local Settings\Temp\Perflib_Perfdata_d98.dat Object is locked skipped
C:\Documents and Settings\kfleming\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\kfleming\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\kfleming\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\kfleming\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP590\change.log Object is locked skipped
C:\WINDOWS\CSC000001 Object is locked skipped
C:\WINDOWS\CSC000002 Object is locked skipped
C:\WINDOWS\CSC000003 Object is locked skipped
C:\WINDOWS\CSC\d2000011 Object is locked skipped
C:\WINDOWS\CSC\d3000012 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thanks.
Ken
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP